4th Circuit limits application of Computer Fraud and Abuse Act

Twenty days after leaving his job as a project director for WEC Carolina Energy Solutions Inc., Mike Miller made a presentation to a prospective client on behalf of Arc Energy Services Inc., a competing provider of specialty welding services. According to WEC, Miller, with the help of his assistant, stole proprietary information from WEC by emailing it from his office email account to his personal Gmail account. Miller then allegedly used that information to lure customers away from WEC for Arc.

WEC sued Miller, his assistant and Arc under the Computer Fraud and Abuse Act (CFAA). That statute, which Congress enacted in 1986, makes it illegal to intentionally access a computer without authorization or to exceed authorized access to a computer to obtain information. Individuals who violate the act can be held liable for any consequential damages and may be subject to criminal penalties including fines and up to 10 years in prison. WEC claimed that Miller and his assistant violated the CFAA because WEC’s employee computer- use policy did not permit employees to download confidential or proprietary information to their personal computers.

On July 26, the 4th Circuit joined a growing group of federal appellate courts that are declining to extend the CFAA’s penalties to employees who violate an employer computer-use policy.

“Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees,” Judge Henry Floyd wrote for a unanimous three-judge panel. “But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.”

Emerging Split

Since Congress updated the CFAA in 2007, employers have been using the statute as a hook to bring disputes with former workers into federal court rather than rolling the dice litigating traditional employment torts in less predictable state court venues. As more of these cases make their way to the federal appeals courts, there is an emerging circuit split over whether it’s appropriate to extend the CFAA to employment disputes.

WEC Carolina Energy Solutions v. Miller follows the 9th Circuit’s April decision in United States v. Nosal, in which the court held that the CFAA’s language did not extend to unauthorized use of information on employer computers. The Nosal court reasoned that because the employee had permission to access the company database from which he was alleged to have stolen data, he did not violate the CFAA by using the data in an unauthorized manner. The statute, the court reasoned, bars accessing a computer without authorization but does not regulate use of data.

These decisions contradict the 7th Circuit’s 2006 decision in International Airport Centers v. Citrin. In that case, the court held that when a worker accesses an employer’s computer to advance interests adverse to the employer, he loses any authority he had to access the employer’s computer or any information on it, and therefore acts in violation of the CFAA. The 1st, 5th and 11th Circuits agree with the 7th Circuit’s reasoning.

“For the employer to win, the 4th Circuit would have had to adopt the 7th Circuit’s reading of [the] CFAA,” says Brian McCoy, who represents the individual defendants in Miller. “I was not surprised that the court found that far too broad.”

The circuit courts’ differing interpretations of the law are creating uncertainty for employers and workers alike, which makes the issue ripe for Supreme Court review.

“Many of these cases involve industries and businesses where it makes sense to take the issue up and get a decision that will provide clarity from the Supreme Court,” says Brent Cossrow, a partner at Fisher & Phillips. “Employers aren’t the only ones who have an interest in resolution of the split. This affects all Americans who use computers in the workplace.”

Access vs. Use

The courts in Miller and Nosal both expressed concern about criminalizing a variety of innocent conduct by broadening the CFAA’s scope to encompass violation of employer computer policies. For instance, the Nosal court asked whether an employee could be violating federal law if he checks a score on ESPN.com during work hours.

According to John Marsh, a partner at Hahn Loeser, these concerns are overstated. “Section 1030(a)(4) of CFAA requires an intent to defraud and accessing a computer in furtherance of that effort,” he says. “Logging onto TMZ to get news about Katy Perry does not implicate an attempt to defraud.”

The differing opinions of federal courts notwithstanding, employers can use the CFAA with confidence under certain circumstances. There is an emerging consensus among courts that people who have been fired from their jobs violate the act if they access computer networks without permission post-termination.

“All courts agree on one bright line—true outsiders are not authorized to access the employer’s computers,” Cossrow says. “If an employee is terminated and then goes back into the employer’s computer, courts agree that violates the act.”

Likewise, courts are more likely to conclude that the act reaches violations of employer policies that explicitly regulate workers’ computer “access” rather than simply their “use.”

“Even in the 9th and 4th Circuits, a well-tailored employer policy that limits access may still trigger [the] CFAA,” Marsh says.

While employers await clarity from the Supreme Court, a variety of state court torts such as breach of fiduciary duty or trade-secret theft are still available to employers that believe a worker has misappropriated information from company computers.

“The state court case against Miller and his secretary is still pending,” McCoy says. “The state law remedies are really the appropriate claims for employers to pursue.”